Some individuals have pointed out that they were getting 401 Unauthorized error messages when connecting in via EWS with MFA fully enabled on a user.
UPDATE as of 11:15am EST on 11/4/16 BHIS has retested the portion of this article detailing a bypass against Office365 Multi-Factor Authentication and it does indeed appear to not work. It is a problem in which Microsoft Exchange server exposes the Exchange Web Services interface unprotected by 2FA alongside OWA. It should be stated that this is NOT a vulnerability in DUO Security’s product. UPDATE as of 3pm MST 11/2/16: This blog post demonstrates a two-factor authentication bypass technique against Microsoft Outlook Web Access where the third-party 2FA vendor was DUO Security. The full timeline of this disclosure can be found in a section at the end of the blog post. As of the publication date of this post(November 2nd, 2016) Microsoft have not responded with any updates other than to say there are no updates. This vulnerability was reported to Microsoft on September 28th, 2016. Full Disclosure: Black Hills Information Security believes in responsible disclosure of vulnerabilities. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques. ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations.
0 kommentar(er)
